Cado Response Integration with Amazon GuardDuty using AWS Lambda

Related tags

DevOps Toolsguardduty-lambda-cado
Overview

Cado Response Integration with Amazon GuardDuty using AWS Lambda

This repository contains a simple example where:

  • An alert is triggered by GuardDuty
  • The alert is then picked up in EventBridge
  • EventBridge then calls an AWS Lambda function which...
  • Triggers Cado Response to perform a full capture and investigation of the compromised EC2 instance

Guard Duty and AWS Lambda

How to Deploy

If you want to try this yourself, you can deploy a free trial of Cado Response here.

In Guard Duty you can increase how often “repeat alarms” are sent - this is useful for testing (GuardDuty > Settings).

Screenshot

To trigger the Guard Duty alarms either click “Generate Sample Findings” (GuardDuty > Settings) or run our tool at https://github.com/cado-security/CloudAndContainerCompromiseSimulator

Screenshot

Create a Lambda function that is triggered by GuardDuty in EventBridge. It’s just a couple of clicks to hook it up - no need to mess around with SNS or WebHooks!

Screenshot

Now we need to create a Lambda function which will get the AWS Instance ID from the event and call the Cado Response API with it.

The code is in this repository (lambda_function.py) - if you run as Python3.7 in Lambda you can simple copy and paste this code. If you run with the latest Python3.9 - the requests library isn't built in anymore so you will need to download this repository as a zip then upload it to AWS Lambda. For ECS Fargate you’ll need the task name, more on that to come.

You will need to set environment variables such as the hostname of the Cado Response installation and API key:

Screenshot

You can test the Lambda function is working correctly by running the test event (test_event.json in this repository):

Screenshot

Which will result in output such as below. The EC2 import will fail as the instance will not exist in your environmet. You can also capture a real event from your own environment for testing:

Screenshot

In total this should take about 15 minutes to set up. And what you get from that is… about 10 minutes after the GuardDuty is triggered - Cado Response goes and collects a full copy of the system before it’s destroyed and hunts through it for logs, malware etc:

Screenshot

Screenshot

You can also enable exporting the GuardDuty logs and the Cado Response output into an S3 bucket. You can then import the Cado Response output into a SIEM such as Splunk or a Ticketing system such as Jira. You can push out thousands of events for a compromised system if you want them all.

Screenshot

What that means is you now get in your SIEM the original Guard Duty alert from AWS detections on the API & Network side of the house - sitting side by side with the on disk detections, logs, even full file strings contents of files if you want it. You can read more on this here.

Learn More

If you want to try this yourself, you can deploy a free trial of Cado Response here.

Owner
Cado Security
We're building a platform to push digital forensics forward into the cloud era.
Cado Security
GitHub Repository
A little script and trick to make your heroku app run forever without being concerned about dyno hours.

A little script and trick to make your heroku app run forever without being concerned about dyno hours.

Tiararose Biezetta 152 Dec 25, 2022
Flexible and scalable monitoring framework

Presentation of the Shinken project Welcome to the Shinken project. Shinken is a modern, Nagios compatible monitoring framework, written in Python. It

Gabès Jean 1.1k Dec 18, 2022
Nagios status monitor for your desktop.

Nagstamon Nagstamon is a status monitor for the desktop. It connects to multiple Nagios, Icinga, Opsview, Centreon, Op5 Monitor/Ninja, Checkmk Multisi

Henri Wahl 361 Jan 05, 2023
Create pinned requirements.txt inside a Docker image using pip-tools

Pin your Python dependencies! pin-requirements.py is a script that lets you pin your Python dependencies inside a Docker container. Pinning your depen

4 Aug 18, 2022
Django-Kubernetes - Learn how to deploy a docker-based Django application into a Kubernetes cluster into production on DigitalOcean

Django & Kubernetes Learn how to deploy a production-ready Django application in

Coding For Entrepreneurs 100 Jan 01, 2023
A lobby boy will create a VPS server when you need one, and destroy it after using it.

Lobbyboy What is a lobby boy? A lobby boy is completely invisible, yet always in sight. A lobby boy remembers what people hate. A lobby boy anticipate

226 Dec 29, 2022
A simple python application for running a CI pipeline locally This app currently supports GitLab CI scripts

🏃 Simple Local CI Runner 🏃 A simple python application for running a CI pipeline locally This app currently supports GitLab CI scripts ⚙️ Setup Inst

Tom Stowe 0 Jan 11, 2022
A basic instruction for Kubernetes setup and understanding.

A basic instruction for Kubernetes setup and understanding Module ID Module Guide - Install Kubernetes Cluster k8s-install 3 Docker Core Technology mo

648 Jan 02, 2023
Build and Push docker image in Python (luigi + docker-py)

Docker build images workflow in Python Since docker hub stopped building images for free accounts, I've been looking for another way to do it. I could

Fabien D. 2 Dec 15, 2022
A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

Martin Olivier 6 Nov 17, 2022
SSH tunnels to remote server.

Author: Pahaz Repo: https://github.com/pahaz/sshtunnel/ Inspired by https://github.com/jmagnusson/bgtunnel, which doesn't work on Windows. See also: h

Pavel White 1k Dec 28, 2022
Python IMDB Docker - A docker tutorial to containerize a python script.

Python_IMDB_Docker A docker tutorial to containerize a python script. Build the docker in the current directory: docker build -t python-imdb . Run the

Sarthak Babbar 1 Dec 30, 2021
Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App

Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App This example provisions a Google Kubernetes Engine

Pas Apicella 2 Feb 09, 2022
Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Weaveworks 1.1k Dec 30, 2022
This is a tool to develop, build and test PHP extensions in Docker containers.

Develop, Build and Test PHP Extensions This is a tool to develop, build and test PHP extensions in Docker containers. Installation Clone this reposito

Suora GmbH 10 Oct 22, 2022
A Python Implementation for Git for learning

A pure Python implementation for Git based on Buliding Git

shidenggui 42 Jul 13, 2022
Ajenti Core and stock plugins

Ajenti is a Linux & BSD modular server admin panel. Ajenti 2 provides a new interface and a better architecture, developed with Python3 and AngularJS.

Ajenti Project 7k Jan 03, 2023
Knock your images before these make you painful.

image-knocker Knock your images before these make you painful. Background One day, I had run my deep learning model training program and got off work

Yonghye Kwon 9 Jul 25, 2022
Helperpod - A CLI tool to run a Kubernetes utility pod with pre-installed tools that can be used for debugging/testing purposes inside a Kubernetes cluster

Helperpod is a CLI tool to run a Kubernetes utility pod with pre-installed tools that can be used for debugging/testing purposes inside a Kubernetes cluster.

Atakan Tatlı 2 Feb 05, 2022
KivyPassword - A password generator using both Kivy framework and SQL in order to create a local database for users to generate strong passwords and store them

KivyPassword A password generator using both Kivy framework and SQL in order t

1 Jan 14, 2022